TY - GEN
T1 - A Proposal of Information Security Policy Agreement Method for Merger and Acquisition Using Assurance Case and ISO 27001
AU - Kobayashi, Nobuyuki
AU - Nakamoto, Aki
AU - Kawase, Maki
AU - Ioki, Makoto
AU - Shirasaka, Seiko
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/7
Y1 - 2019/7
N2 - This study proposes an assurance case description method, based on the framework of Information Security Management System (ISMS; ISO 27001), for agreeing to information security policies through co-creation of values between a parent company and its subsidiary or subsidiaries which are merged or acquired. Information security policy varies among companies. Parent companies need to agree with their merged or acquired companies on the information security policies in order to maintain the existing business of the subsidiaries while the parent companies continue to use the current IT infrastructure and network. This study first structuralizes ISO 27001 by using an assurance case. We then show the items that a parent company and its subsidiary do not agree to information security policies based on each company's policy. As a result, this study will: 1) Clarify the range of agreement and disagreement between the two companies' information security policies; and 2) show how two companies mutually conclude a final agreement for the entire range using the assurance case created. We asked them how three experts in information security evaluate the Understanding, Utility and Effectiveness of the proposed assurance case description method, which the studied participants used to create the assurance case.
AB - This study proposes an assurance case description method, based on the framework of Information Security Management System (ISMS; ISO 27001), for agreeing to information security policies through co-creation of values between a parent company and its subsidiary or subsidiaries which are merged or acquired. Information security policy varies among companies. Parent companies need to agree with their merged or acquired companies on the information security policies in order to maintain the existing business of the subsidiaries while the parent companies continue to use the current IT infrastructure and network. This study first structuralizes ISO 27001 by using an assurance case. We then show the items that a parent company and its subsidiary do not agree to information security policies based on each company's policy. As a result, this study will: 1) Clarify the range of agreement and disagreement between the two companies' information security policies; and 2) show how two companies mutually conclude a final agreement for the entire range using the assurance case created. We asked them how three experts in information security evaluate the Understanding, Utility and Effectiveness of the proposed assurance case description method, which the studied participants used to create the assurance case.
KW - Assurance Case
KW - Co-creation
KW - Dependability Case
KW - Information security policy
KW - M&A
UR - http://www.scopus.com/inward/record.url?scp=85080925108&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85080925108&partnerID=8YFLogxK
U2 - 10.1109/IIAI-AAI.2019.00150
DO - 10.1109/IIAI-AAI.2019.00150
M3 - Conference contribution
AN - SCOPUS:85080925108
T3 - Proceedings - 2019 8th International Congress on Advanced Applied Informatics, IIAI-AAI 2019
SP - 727
EP - 733
BT - Proceedings - 2019 8th International Congress on Advanced Applied Informatics, IIAI-AAI 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th IIAI International Congress on Advanced Applied Informatics, IIAI-AAI 2019
Y2 - 7 July 2019 through 11 July 2019
ER -